Fix ASP.NET Membership Providers.
We have ASP.NET Identity which is a next gen membership system for ASP.NET. ASP.NET Identity has first class support for external logins such as Facebook, Microsoft etc as well as Local Logins. ASP.NET Identity also allows you to build your app so it is unit testable as well. It works the same way for MVC, Web Forms, Web API and any type of web application. There is a pluggable storage mechanism so you can replace the default implementation which is SqlServer to Non Sql Stores such as Azure Table Storage, RavenDb etc. Please see asp.net/identity for more details
Steve Smith commented
Any new system needs to:
1) Work with WebForms and some kind of UI controls (whether it's updating the existing Login controls or replacing them.
2) Work with LiveID, OpenID, etc. as a first-class, easy to set up option.
3) Work with MVC and ideally provide HTML Helpers
4) Work with DI and IOC containers and be unit testable and allow solutions built with it to be unit testable.
Michiel van Otegem commented
I would actually prefer a move towards Windows Identity Foundation. I haven't used ASP.NET Membership in about 18 months (except for demo's). Having user management embedded in an app feels archaic to me. No offense.
Using WIF, using OpenID is a breeze. Just use Starter STS as your identity provider. It supports OpenID out-of-the-box.
Scott Galloway commented
Provider model is getting really long in the tooth, especially with the widespread use of DI / composition based approaches.
Most of us have something better in use; kill the current providers, work out something better.
Jason Gaylord commented
One of the items that I always do with the providers is use a modified version of the sandboxed SqlTableProfileProvider that has a version column. When I change the version in my config file, it forces individuals to their profile page on next login. We use this in our b2b implementations.
Also, make it easier for individuals to swap out the membership provider with an OpenID provider. The profile would still be custom, but let the user sign-in using OpenID (Facebook, Twitter, etc)
Michal A. Valasek commented
I second several ideas already discussed here:
- out-of-the-box user management
- e-mail address as username
- table providers
Also you should make writing of providers easier. Right now the base class forces you to implement (or explicitly ignore) many things that may be not needed (application name, password reset questions, blocking account after invalid login attempts...) and forces you to implement logic, that can be done on higher level (ie. validation of new password).
Writing providers is not hard, but it's confusing.
I implemented some of the ideas here: http://altairiswebsecurity.codeplex.com/wikipage?title=SQL%20Table%20Providers&referringTitle=Home
I like the idea of using a EF, but like others have said it should be plugable.
Vicenç Masanas commented
Support for a sql table provider is highly desired. Also something that integrates better with WAP model.
I remember a long conversation on this on the aspinsiders list driven by Ken Cox a while ago.
Vishal R. Joshi commented
Nathan/Wally, we have ideas on how to fix this. Make it EF based, allow email as username etc. But it would be good to hear from you all what do you think the fix should look like and we can consider adding that to the design.
Nathan Blevins commented
These guys def need an update. Like Wally says, I am not sure what all "fix" entails.
Dave Sussman commented
I'd echo Scott's point about some admin functionality. Maybe some user controls / views / HTML helpers shipped as part of a sample app even.
Scott Mitchell commented
Some ideas off the top of my head:
-- Could use better support for using an email address as the username.
-- One part that trips up beginners is no out of the box support for managing user accounts on a public-facing website. Yes, there's the AWAT, but it only runs locally.
Keith Barrows commented
Don't make SQL the defacto back-end store. There should be a separation between data store and Provider use within an app. Yes, it should depend on a known Model but that Model should be creatable in any storage media.
Support Single Sign On and such. MS made such a huge thing about Passport and pretty much the only place I use it is on MS sites. Twitter, Facebook, OpenId all have a greater footprint as far as I can see.
Wallace McClure commented
What does "Fix" mean?